The popularity of Fake AV and the efficacy of phishing are testament to the fact that human confusion is a one of the drivers in online risk. One of the challenges in security is that it is difficult for people to know if they are working with a secure system or facing a threat. For most people security and privacy are not distinct risks because what matters is that their information is compromised, not the mechanism of information exfiltration. Only the person trying to post anonymously knows the implications of loss of confidentiality or privacy: laughter, annoyance, embarrassment, loss of employment, and (in some cases) even imprisonment. In our research, we empower people to identify, mitigate, and avoid online risk.

Our research on computing risk requires first understanding the risk, using machine learning, statistical methods, network instrumentation, and homogenous communities as well as evaluations of specific protocols and devices. When risk can be identified, we mitigate by design as possible. Sometimes risks must be accepted in order for networks to work, just as risks must be accepted for cars to work. In that case we design systems that embed risk communication, so that people knowingly choose to take a risk to accept a benefit. We empower people to protect themselves, or not, by choosing or avoiding risk online. Please see publications on human-centered computing for the results of our work.